Step by Step Guidelines for Handling a Cyberattack at a Medical Facility

The four most important things a medical institution needs to do in the event of a hacking

Unfortunately, cyber attacks on healthcare facilities are all too common. Such attacks grew by an astounding 63% in the last year and will most likely continue to grow as hackers target clinics, hospitals and other public and private healthcare facilities with ransomware, phishing attacks, malware and outright hacking. Given these facts, it is important to be aware of the following step by step guidelines for handling a cyber attack. This guidance is provided by the Department of Health and Human Services and applies to any medical institution.

Respond

Every single medical institution needs to have a plan for how to respond to a cyber attack. Employees who suspect an attack need to know who to contact about their concerns, be it a supervisor, the hospital’s IT department or an outside third party. Those who are responsible for handling the aftermath of an attack need to know what to do with patient data and other sensitive information. They also need the authority to take drastic action to prevent or limit a breach of data.

The type of plan your medical institution develops will naturally depend on a number of factors. eMDTec has the experience and expertise needed to handle cyber attacks but we would need to sign an HIPAA-compliant business associate agreement from your firm before we can begin work on your systems. Those who run a large medical institution may want to have a full-time IT specialist or department tasked with not only responding to attacks but also preventing them.

It should be noted that a plan to respond to ransomware must be different than a plan for managing the aftermath of another type of cyber attack. Ransomware takes your computer system hostage and won’t allow you to see any data until you have paid a ransom. A plan for such an event will need to include not only disabling shared drivers and disconnecting the affected computer from the network but also shutting down certain departments if up to date patient data is not stored on a backup device.

Contact Law Enforcement

Contact law enforcement agencies as soon as you discover a cyber attack on your computer system. Get in touch with the FBI, Secret Service, and your local police department and tell them what you know about the cyber attack. Don’t worry if you haven’t completely assessed your systems to discover the extent of the attack; that comes later on. The most important thing to do at this stage is to report the attack without divulging patient information.

Be aware that your next steps will depend on how law enforcement officials advise you to proceed. In some instances, one or more law enforcement departments may ask you to hold off on reporting the beach in order to avoid impeding an ongoing investigation or jeopardizing national security. If such a request is made in writing, it will clearly state how long you should wait before reporting the breach. Oral requests must be honored within 30 days after they have been made.

Reporting the Threat

After reporting the incident to law enforcement officials, you will need to report the cyber attack to federal and information sharing and analysis organizations, the Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response. Once again, all patient information should be kept private in accordance with HIPAA guidelines.

Assess the Breach

The final step is to assess the nature of the breach. If fewer than 500 patient records have been compromised, you will need to contact the affected individuals to let them know their information has been breached. If more than 500 patient records have been compromised, you will need to report the cyber attack to the HHS’ Office of Civil Rights Department, tell the media about the breach and contact all those who were affected by the incident. You must get in touch with patients whose records were breached no later than 60 days after the breach has been discovered.

Some criminals behind ransomware attacks threaten to publish stolen data instead of simply deleting it. Such a situation can pose a serious legal dilemma for hospitals that are tasked with keeping patient information secure but at the same time are advised by the FBI to avoid paying a ransom. In such a case, it may be wise to seek immediate legal help in addition to taking the steps outlined above.

In Summary

Have plans in place for dealing with a cyber attack or potential cyber attack. Every single employee who has access to your computer systems should know what to do if such an attack takes place. A good plan can limit the exposure of sensitive data or even stop an attack in its tracks.

The next step is to notify law enforcement officials, the DHS and the HHS Assistant Assistant Secretary for Preparedness and Response. Finally, you will need to examine your computer systems and data carefully to determine how many patient records have been breached. If you know or even suspect that more than five hundred records are at risk, immediately notify the affected individuals, the media and the OCR.

Naturally, it is far better to do everything possible to prevent cyber attacks instead of having to deal with the aftermath. At eMDTec in New Jersey, we specialize in helping medical facilities create secure data storage solutions to protect the valuable patient and employee data. We create personalized solutions for each medical facility and can even help you draw up an effective response plan should cyber criminals attempt to steal your data. Feel free to get in touch with us at info@emdtec.com or (800) 979-_2879 in order to find out more about how we can help you prevent serious attacks that would cause legal problems, loss of data or even the temporary shutdown of services due to lack of data access.